MDEV-11896: thd_security_context - use snprintf to fill buffer with i…

[grooverdan]

…nformation

Under string.append with insufficient space results in undefined behaviour, in
this case a segfault.

I submit this under the MCA.

[svoj]

Hi Daniel,

Thanks for your contribution. JIRA task just for the record: https://jira.mariadb.org/browse/MDEV-11896

This task was added to 5.5 backlog, which hasn't been scheduled yet.

Thanks,
Sergey

[grooverdan]

is there going to be another 5.5 - https://mariadb.com/kb/en/mariadb/mariadb-maintenance-policy/ list 11 April 2017 as the boundary?

[vuvova]

Stay tuned, it's being discussed. Probably we'll keep maintaining 5.5 as long as Oracle does or as long as distributions that have it are maintained.

[vuvova]

How does String::append result in undefined behavior?

[grooverdan]

Not sure however the back trace and upstream bug shows it can happen. Is the snprintf a simplification?

[vuvova]

I don't think String::append() is to blame here at all. This thd_security_context() accesses some other THD's data (user, query, etc). The caller is supposed to take care of proper locking, as far as I understand. Perhaps some callers don't? Then String::append() will try to resolve invalid pointer or access unmapped memory, and it'll crash.

[grooverdan]

OK. Makes sense. FYI I looked at https://clang.llvm.org/docs/ThreadSafetyAnalysis.html which despite looking promising didn't work as expected. I raised some clang bug reports so I'll find out soon if its me or the implementation being wrong.